Changes between Version 5 and Version 6 of TIEDABACDemo


Ignore:
Timestamp:
07/10/09 14:39:30 (15 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • TIEDABACDemo

    v5 v6  
    3737[[Image(Simple.png)]]
    3838
    39 The image above shows a simple delegation.  The GPO prinicpal has delegated the power to grant principals the GPO.demo attribute to USC by asserting that any USC.GENI principal also has the GPO.demo attribute.  Ted has the GPO.demo attribute because he is a USC.GENI principal and all USC.GENI principals are GPO.demo prinicpals.  The arrow between '''ISI.GENI''' and Ted is the familiar assertion by a principal assigning another principal the attribute;  The arrow between '''GPO.demo''' and '''ISI.GENI''' represents a signed assertion about the two attributes.  That attribute is signed by the GPO principal.
     39The image above shows a simple delegation.  The GPO prinicpal has delegated the power to grant principals the GPO.demo attribute to USC by asserting that any principal with the ISI.GENI attribute also has the GPO.demo attribute. We now show how to demonstrate that a given principal has a delegated attribute.
    4040
    4141[[Image(Creds.png)]]
    4242
    43 The image above shows how to walk the chain of attribute assignments and delegations to prove a principal has a given attribute.  In this case, it shows that Ted has the GOP.demo attribute.  Proving a principal has an attribute is equivalent to finding a path from principal to attribute in the graph induced above.  We use this representation in our configuration and visualization tool to help administrators.
     43The image above shows how to walk the chain of attribute assignments and delegations to prove a principal has a given attribute.  In this case, it shows that Ted has the GOP.demo attribute.  Proving a principal has an attribute is equivalent to finding a path from principal to attribute in the graph induced above.  The edges all represent credentials that the GPO or Ted are in possesion of that can be combined to demonstrate that Ted possesses the GPO.demo attribute.
     44
     45We use this representation in our configuration and visualization tool to help administrators.
    4446
    4547[[Image(Linked.png)]]
    4648
    47 A linked role is specified by a different attribute that links the authorizing attribute (in parens) to the delegating attribute by a dot, and the arrow completes the delegation.
     49A linked role is specified by a different attribute that links the authorizing attribute (in parens) to the delegating attribute by a dot, and the arrow completes the delegation.  The following shows the graphical representation of walking a chain of credentials that inclides a linked credential showing that Ted has the GPO.demo attribute.
    4850
    4951[[Image(LinkedCreds.png)]]
     52
     53This introduces two kind of links to the graph.  The first is a link that represents a linked role, the link from the red box to the GPO.demo attribute represents a new kind of credential - one that defines conditions for delegation (a linked role) rather than a direct delegation.  The presence of that credential, and the credential indicating that the NSF asserts that ISI is NSF.funded creates the blue dotted edge.  No single credential represents that edge; the presence of both a credential defining the authorizing set for GPO.demo and one showing that ISI is in the authorizing set creates the edge.
     54
     55Once the edge is present, again, showing that Ted has the GPO.demo attribute is a matter of showing the path.